diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-02 14:37:50 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-02 14:40:34 +0000 |
| commit | 60ab8e12aecd5f2691495bcc3a8bf5b956777c33 (patch) | |
| tree | 75c9517d0ca76144c4750858454f30b377f59020 /main/xen/xsa108.patch | |
| parent | 4c57113c71d286a57c2f4e487260597d04319902 (diff) | |
| download | aports-60ab8e12aecd5f2691495bcc3a8bf5b956777c33.tar.bz2 aports-60ab8e12aecd5f2691495bcc3a8bf5b956777c33.tar.xz | |
main/xen: upgrade to 4.3.3 and fix CVE-2014-7188
The following critical vulnerabilities have been fixed:
- CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
- CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries
to be created
- CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
- CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests
Also add patch for xsa108:
- CVE-2014-7188: Improper MSR range used for x2APIC emulation.
ref #3412
Diffstat (limited to 'main/xen/xsa108.patch')
| -rw-r--r-- | main/xen/xsa108.patch | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/main/xen/xsa108.patch b/main/xen/xsa108.patch new file mode 100644 index 0000000000..e162185789 --- /dev/null +++ b/main/xen/xsa108.patch @@ -0,0 +1,36 @@ +x86/HVM: properly bound x2APIC MSR range + +While the write path change appears to be purely cosmetic (but still +gets done here for consistency), the read side mistake permitted +accesses beyond the virtual APIC page. + +Note that while this isn't fully in line with the specification +(digesting MSRs 0x800-0xBFF for the x2APIC), this is the minimal +possible fix addressing the security issue and getting x2APIC related +code into a consistent shape (elsewhere a 256 rather than 1024 wide +window is being used too). This will be dealt with subsequently. + +This is XSA-108. + +Signed-off-by: Jan Beulich <jbeulich@suse.com> + +--- a/xen/arch/x86/hvm/hvm.c ++++ b/xen/arch/x86/hvm/hvm.c +@@ -4380,7 +4380,7 @@ int hvm_msr_read_intercept(unsigned int + *msr_content = vcpu_vlapic(v)->hw.apic_base_msr; + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_read(v, msr, msr_content) ) + goto gp_fault; + break; +@@ -4506,7 +4506,7 @@ int hvm_msr_write_intercept(unsigned int + vlapic_tdt_msr_set(vcpu_vlapic(v), msr_content); + break; + +- case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0x3ff: ++ case MSR_IA32_APICBASE_MSR ... MSR_IA32_APICBASE_MSR + 0xff: + if ( hvm_x2apic_msr_write(v, msr, msr_content) ) + goto gp_fault; + break; |